Hacked HVAC: The BMS that could close your school

Cyber attacks. They’re highly disruptive, can result in a loss of data and severely hamper the functioning of a school or university. Small wonder then that educational establishments go to significant lengths to secure the network. Yet few will have thought to include the Building Management System (BMS) or even stopped to consider these systems could be a point of compromise that could put the school at risk of physical as well as virtual attack.

‘What, my heating system hacked!’ I hear you cry. ‘Why would anyone bother?’ The simple answer is because they can… but there’s also a great deal of disruption that can be caused by hacking BMS. These controllers regulate services integral to the running of the school such as door access, as well as heating, ventilation and air conditioning. Compromise the BMS and you can disarm door entry, force a fire alarm or close a school down, or even use the device as a stepping stone to attack the school network. Maybe even use it as a vehicle for ransomware.

Often physically situated out of the way, these controllers are accessible via the internet to provide remote access and it’s this that presents the problem. If the BMS has been installed insecurely by an installer that has left it discoverable on the public internet it will be a sitting duck open to attack.

So how real a threat is this? I did a quick scout online using the search engine at shodan that is great at finding smart devices on the internet. In under ten seconds I found over a thousand of these devices. Each were easily identifiable because the original installers had included the make and model revealing devices in dozens of schools dotted throughout the UK. One of these was for an infants school, another controlled the heating and cooling of a microbiology lab in a university. You get the picture.

The seriousness of this discovery resulted in the BBC contacting each and every one of the schools identified on Shodan when I flagged the story to them. Just as worrying was the fact that many of these devices had been in situ for years. Perhaps not surprisingly, some had already been infected with malware in the form of crypto mining worm.

Although the malware we found seemed to be inert, it would be relatively easy to upload a more malicious strain that could probe and attack associated networks. Other security issues included the ability to bypass the log-on for controllers left in default mode i.e. without a ‘guest’ user added. It’s also worth noting these controllers can be easily attacked physically as they’re often situated in quiet areas, making it possible to tamper with them undisturbed.

One manufacturer defended their equipment by referring to guidelines that recommend isolating the controllers on subnets and installing the equipment behind a firewall or on a VPN, as well as recommending its controllers be regularly updated to prevent direct access over the public internet. All well and good but this advice is clearly not being heeded and there’s a ‘fit and forget’ culture that means post installation no-one checks if these controllers are correctly configured.

These BMS have been installed by electricians and HVAC engineers who simply don’t understand security. I’d like to see manufacturers step up and take more responsibility by educating, accrediting and auditing installer’s work. It’s a win-win, giving the manufacturer the opportunity to further monetise and improve perceptions around their product all in one go.

Sadly, I don’t see that happening anytime soon and in the interim it’s down to schools to step up. Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. Whilst you’re there, ask about your door controllers and your IP alarm systems. Because BMS is just the beginning of the Internet of Things (IoT) set to invade our schools; things that, unpoliced, will place our institutions at risk of physical or virtual cyber attack.

Ken Munro is passionate about empowering the user and blowing away the fear, uncertainty and doubt (FUD) peddled by security vendors. He is a successful entrepreneur and is a founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. He is also on the executive steering board for the IoT Security Foundation which aims to promote security and improve standards in the market. Ken has been in the infosecurity business for approaching 20 years.